The US Cybersecurity and Infrastructure Security Agency (CISA) has warned organizations to beware of a relatively new ransomware variant called FiveHands and the attackers group (UNC2447) took advantage of a product flaw that allowed them remote code execution without the need to authenticate. The vulnerability has been identified with the CVE-2021-20016 and obtains a score of 9.8 out of 10.
The criminal group UNC2447 monetizes the intrusions by extorting their victims first with the FiveHands ransomware, followed by aggressive pressure through threats of media attention and offering the data of the victims for sale in hacker forums, in addition it has been observed that UNC2447 targets organizations in Europe and North America and has consistently shown advanced capabilities to evade detection and minimize post-intrusion forensic analysis.
The attackers targeted the unpatched SonicWall Secure Mobile Access SMA 100 remote access products, for which patches were released in February. Publicly available tools used by the group include SoftPerfect Network Scanner for Discovery and Microsoft’s remote administration program, PsExec.exe, and its related ServeManager.exe.
According to FireEye, the intrusions occurred in January and February 2021, and the threat actor used a malware called SombRAT to deploy the FIVEHANDS ransomware. It should be noted that SombRAT was discovered in November 2020 by BlackBerry researchers in connection with a campaign called CostaRicto launched by a group of mercenary hackers.
Additionally, SombRAT allows attackers to remotely download and run malicious DLLs on the target network. It also serves as the main component of the attacker’s command and control infrastructure.
As we always say, there are many ways to protect ourselves against these such as: Keeping signatures and antivirus engines updated, update operating system patches, Disable file and printer sharing services, etc. There are always ways and that is why it is important to always be informed.
As we always say, there are many ways to protect ourselves against these such as: Keeping signatures and antivirus engines updated, update operating system patches, Disable file and printer sharing services, etc. There are always ways and that is why it is important to always be informed and not fall before these risks.
Other reads:
REvil is a dangerous ransomware
PureLocker Ransomware that encrypts servers
[…] reads:FiveHands is the new Ransomware VariantLorenz is the new Ransomware targeting businessesMount Locker is an aggresive […]